Check your .htaccess files!

Forum Moderators: phranque

Message Too Old, No Replies

Check your .htaccess files!

Hackers blocking hackers, the irony.

incrediBILL

3:20 am on Jul 28, 2012 (gmt 0)

It appears that the hackers are now modifying .htaccess files to stop the next hacker from making the same intrusions.

Interesting reading:
[blog.spiderlabs.com...]

One of the major goals of these attacks are to try and download/install webshells and backdoors. ... The remote RFI file is a PHP backdoor program. One of the more interesting aspects of this code is the following section of code where the attacker wants to prevent others from exploiting the same vulnerability:

So it would appear that just like we have alarms for index pages and other things being changed on the server, now we also need to test for .htaccess files being changed as well.

I could think of some good reasons already, but the fact that hackers are using it to keep out other hackers is a pretty good reason to test the file IMO.

lucy24

10:31 am on Jul 28, 2012 (gmt 0)

Now, those of us who tweak our htaccess files every other day... ;)

wilderness

3:29 pm on Jul 28, 2012 (gmt 0)

I've a nagging recollection that there was a thread in the SSID Forum on the URI's that are in the second group the link you've provided.

I has two such visits (one in may and one in June) that contained "dallow_url" in the URI.
Both from different (and appears compromised) machines.

Haven't seen one for July thus far.